How to grant temporary guest or anonymous access to a Cognito protected API via Email or SMS OTP?

Question

I'm building a mobile application that has its backend accessed via API Gateway, and secured with Cognito User pools.

The app has a quite long onboarding process, and for business reasons it has to be that way. That onboarding process calls a couple of API endpoints to get certain information and all of that is done before we can create the user, so all of this APIs have to be accessed by a "guest user".

Is there a way to protect that APIS with a token generated with an OTP (link) sent via Email or SMS?

PD: I have clear that is necessary to make a custom authenticator.

I have read most of cognito documentation and I only see this kind of custom authentication flow (magic link) but only works with an existing user.

https://aws.amazon.com/blogs/mobile/implementing-passwordless-email-authentication-with-amazon-cognito/

The final result that I want to achieve is to allow only OTP verified users to use the onboarding API's, maybe via a temporary access_token configured via the OTP link?

Desired flow: https://i.stack.imgur.com/qq1Qk.png

Answer

How about create a temperate user in Cognito User Pool for this kind of one time access? You could hide the user creating process from your end user to keep friendliness and just use the input email address to create the user. For more information, see "Creating user accounts as administrator" [https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-create-user-accounts.html].

Cognito could help you release the user by setting an expiration time limit for it (The default setting is 7 days, up to 90 days).

How to grant temporary guest or anonymous access to a Cognito protected API via Email or SMS OTP?

Relevant content